The research from CSIRO’s Data61 division describes ‘touch based tracking’ which sees your device extracting data on how you tap, zoom, and swipe, including the velocity and acceleration of the movements.

Professor Mohamed Dali Kaafar, group leader at Information Security and Privacy at Data61, told Fairfax Media, using a single app for an hour provides enough information to distinguish a user from over a billion others.

Advertisement

The important difference between other methods of data collection is touch based tracking can identify who is using the device, not just what account is logged in.

Professor Kaafar sees the benefits of touch-based tracking in providing personalised experiences but warns that consumers need to be wary.

Phones can track your distinctive finger movements.Credit:Glenn Hunt.

“Touch based behavioural tracking is a stealthy way of tracking us it doesn’t need permissions and most people would relate it to something completely harmless or irrelevant,” he said.

“Actually, it’s a really powerful way of collecting user data and we should really try to avoid the potential dangers in the future that it could cause to our privacy.”

Professor Kaafar, who is also the chief scientist at Optus Macquarie University Cyber Security Hub, said applications can access and collect this data without a single permission turned on in your mobile device.

“There’s nothing in the phones operating system that prevents applications from using this data,” he said.

“It’s all seemingly harmless information that is actually useful for basic useability, helping to orient the screen correctly and turn at the right time.”

There’s nothing in the phones operating system that prevents applications from using this data

According to the research, touch based tracking can potentially track and distinguish between multiple users on the same device.

It can even identify users across multiple devices – ‘Cross-device tracking’ – potentially building a user profile that can be used by advertisers or third parties interested in individual’s online behaviour.

Professor Kaafar said, once the authentication phase is complete, a user can be recognised within a couple of seconds of using a device.

Loading

“A device can continuously monitor behaviour, it will recognise if someone with different features uses that device, it’s very accurate once it’s trained and it keeps training itself,” he said.

Professor Kaafar said there are applications potentially already collating this data but he could not say whether or not they are doing so for a malicious purpose.

The technology could also be used, for example, to prevent children from accessing adult content on shared devices, and personalising specific user content, he said.

It would also be possible to identify and block users not known to the device as an increased security measure, he said.

CSIRO Data61 has developed its own android application ‘TouchTrack’ to show the public how easy it is to create their own unique touch-based signature which can be downloaded from the Google Play store.